Digital Interruption, which claims it “had been reviewing the security of several adult-themed websites” (ahem) when it found the vulnerability in the SinVR, a dodgy-sounding VR game that lets users explore various adult-themed environments and interact with virtual characters.

After reverse-engineering SinVR’s desktop application, it found that the ‘high-risk’ flaw could allow an attacker to download details such as the customer’s name, email addresses and device names for everyone with a SinVR account, along with the details of those who paid for the SinVR content using PayPal.

“Not only could an attacker use this to perform social engineering attacks, but due to the nature of the application it is potentially quite embarrassing to have details like this leaked,” the security firm said.

“It is not outside the realm of possibility that some users could be blackmailed with this information.”

While the application, which relies on Microsoft’s .NET library, was easy to reverse-engineer, Digital Interruption told Security Ledger that it didn’t have such luck when trying to contact the firm, which lead it to go public with the information.

The firm behind SinVR has since spoken out, though, and said it fixed the issue as soon as it was told about it.

“Digital Interruption gave us ample warning before posting their finding and we fixed the issue as soon as it was revealed to us,” the company said in a statement to Alphr.

“We are in contact with them and they confirmed that the outlined security hole was closed. Altogether, it has been a tremendous learning experience, which will serve to enhance our security and we are glad that it was conducted ethically.

“Moving forward, we are confident in our ability to stop similar attacks and will keep using a professional security service to audit our system. We are making sure that all ‘back door’ intrusions are fully consensual.” µ